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Amendments to the Claims 
This listing of claims will replace all prior versions of claims in the application: 
Listing of Claims: 

1 . (Currently Amended) A security analysis tool for an automation system, comprising: 

an interface component that generates a description of one or more industrial controllers, 
wherein the description includes at least one of shop floor access patterns. Intranet access 
patterns, Internet access patterns, aad or wireless access patterns; 

an analyzer component that generates one or more security ou^uts based on the 
descriptio n, the one or more security outputs including at least one output deployed to the one or 
more industrial controllers that adjusts a security parameter associated with the one or more 
industrial controllers : and 

a validation component that periodically monitors the one or more industrial n e twork 
controllers following deployment of the one or more security outputs to determine one or more 
vulnerabilities related thereto and automatically installs ono or more soourity components in 
respons e to th e on e or mor e vuln e rabiliti e s . 

2. (Currently Amended) The tool of claim 1 , at least one of the interface component aftd or 
the analyzer component operate on a computer and receive one or more factory inputs that 
provide the description. 

3. (Currently Amended) The tool of claim 2, the factory inputs include at least one of user 
input, model inputs, schemas, formulas, equations, files, maps, asd or codes. 

4. (Currently Amended) The tool of claim 2, the factory inputs are processed by the 
analyzer component to generate the security outputs, the security outputs including at least one 
of manuals, documents, schemas, executables, codes, files, e-mails, recommendations, 
topologies, configurations, application procedures, parameters, policies, rules, user procedures, 
«id or user practices that are employed to facilitate security measures in an automation system. 
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5. (Currently Amended) The tool of claim 1 , the interface component includes at least one 
of a display output having associated display objects and at least one input to facilitate operations 
with the analyzer component, the interface component is associated with at least one of an 
engine, an application, an editor tool, a web browser, a«d or a web service. 

6. (Currently Amended) The tool of claim 5, the display objects include at least one of 
configurable icons, buttons, shders, input boxes, selection options, menus, and or tabs, the 
display objects having muhiple configurable dimensions, shapes, colors, text, data and sounds to 
facilitate operations with the analyzer component. 

7. (Currently Amended) The tool of claim 5, the at least one input[[s]] includes receiving 
user commands fi-om at least one of a mouse, keyboard, speech input, web site, remote web 
service, camera, aM or video input to affect operations of the interface component and the 
analyzer component. 

8. (Currently Amended) The tool of claim 1, the description includes a model of one or 
more industrial automation assets to be protected and associated network pathways to access the 
one or more industrial automation assets. 

9. (Currently Amended) The tool of claim 1, the description includes at least one of risk 
data and or cost data that is employed by the analyzer component to determine suitable security 
measures. 

10-11. (Cancelled). 
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12. (Currently Amended) A security analysis method, comprising: 
inputting at least one model related to one or more industrial controllers; 
monitoring access to tho industrial controllers to loam at loast ono accoss pattern; 
generating one or more security ou^uts based on the at least one model; m4 
automatically installing one or more security components based at least in part on the one 

or more security outputs[[.]]i 

monitoring access to the one or more industrial controllers for a predetermined training 
period to learn at least one access pattern; and 

performing at least one automated security event if a detected deviation from the at least 
one access pattern exceeds a tolerance after the training period. 

1 3 . (Currently Amended) The method of claim 1 2, wherein inputting the at least one model 
includes inputting tfee at least one model tiiat is related to at least one of a risk-based model and 
or a cost-based model. 

14. (Currently Amended) The method of claim 12, wherein generating the one or more 
security outputs includes generating ^ one or more security outputs tiiat include at least one of 
recommended security components, codes, parameters, settings, related interconnection 
topologies, connection configurations, application procedures, security policies, rules, user 
procedures, aad or user practices. 

15. (Currently Amended) The method of claim 12, further comprising at least one of : 
automatically deploying the one or more security outputs to on e or mor e e ntiti e s the one 

or more industrial controllers ; and 

utilizing the one or more security outputs to mitigate at least one of unwanted network 
access emd or network attack. 
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16. (Currently Amended) A security analysis system in an industrial automation 
environment, comprising: 

means for receiving abstract descriptions of one or more industrial controllers; 
means for learning at least one access pattern for accessing the one or more industrial 
controllers; 

means for generating one or more security ou^uts based on the abstract descriptions; 

means for automatically distributing the one or more security outputs to facilitate network 
security in the industrial automation environment; 

means for automatically detecting a deviation from the at least one access pattern that 
exceeds a threshold ; and 

means for performing an automated action that alters a current access pattern based at 
least in part on the detected deviation. 

17. (Currently Amended) A security validation system, comprising: 

a scanner component [[to]] that automatically interrogates an industrial automation 
device at periodic intervals for security related data; 

a validation component [[to]] that automatically assesses security capabilities of the 
industrial automation device based upon a comparison of the security related data and one or 
more predetermined security guidelines; 

a security analysis tool that recommends interconnection of one or more industrial 
automation devices to achieve a specified security goal; and 

a component [[to]] that automatically install one or more s e curity components adjusts at 
least one securitv parameter in the industrial automation device in response to detected security 
problems. 

18. (Cancelled). 

19. (Currently Amended) The system of claim 17, the validation component performs at least 
one of a security audit, a vulnerability scan, a revision check, an improper configuration check, 
file system check, a registry check, a database permissions check, a user privileges check, a 
password check, aad or an account pohcy check. 
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20. (Original) The system of claim 17, the security guidelines are automatically determined. 

2 1 . (Previously Presented) The system of claim 46, the host-based component performs 
vulnerability scanning and auditing on devices, the network-based component performs 
vulnerability scanning and auditing on networks. 

22. (Cancelled). 

23. (Currently Amended) The system of claim 21, at least one of the host-based component 
aad or the network-based component at least one of includ e s non-destructively mapping maps a 
topology of information technology £IT) and industrial automation devices, ch e cking checks 
revisions and configurations, chocking checks user attributes, aad or chocking checks access 
control lists. 

24. (Cancelled). 

25. (Currently Amended) The system of claim 17, further comprising a component that 
initiates a security action in response to the detected security problems, the security action 
includes at least one of automatically correcting tiie security problems, automatically adjusting 

security parameters, altering network traffic patterns, add security components, removing 
security components, firing alarms, automatically notifying entities about detected problems and 
concerns, generating an error or log file, generating a schema, generating data to re-configure or 
re-route network connections, updating a database, and or updating a remote site. 
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26. (Currently Amended) An automated security validation method, comprising: 
scanning one or more industrial automation devices for potential security violations at 

periodic intervals, wherein identity information about end devices that relates to having potential 
for hacker entry is gained; 

performing an automated security procedure that adjusts at least one security parameter 
on the one or more industrial automation devices based at least in part on the potential security 
violations; and 

determining whether the one or more industrial automation devices conforms to one or 
more industry network security standards following performing the automated security procedure 
thereon. 

27. (Currently Amended) The method of claim 26, further comprising at least one of: 
checking for susceptibility to network-based attacks; 

searching for open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) 
ports; aad or 

scanning for vulnerable network services. 

28. (Currently Amended) The method of claim 26, fiirther comprising at least one of: 
automatically performing security assessments; 

automatically performing security compliance checks; aftd or 
automatically performing security vulnerability scanning. 

29. (Currently Amended) The method of claim 26, wherein performing an automated security 
procedure includes performing #ie an automated security procedure[[s]] tiiat includes at least one 
of automatically performing corrective actions, altering network pattems, adding security 
components, removing security components, adjusting security parameters, aad or generating 
security data to mitigate network security problems. 
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30. (Currently Amended) An automated security validation system, comprising: 
means for scanning one or more industrial automation devices for potential security 

violations; 

means for initiating a security procedure that adjusts at least one security parameter in the 
one or more industrial automation devices in response to the potential security violations; m4 

means for performing at least one of security assessments, security compliance checks, 
aftd or security vulnerability scanning of the one or more industrial automation devices to 
mitigate the security violations based at least in part on the initiated security procedure; and 

means for determining whether the automated security validation system conforms to one 
or more industry network security standards based on at least one of the security assessments, the 
security compliance checks, aad or the security vulnerability scanning. 

3 1 . (Currently Amended) A security learning system for an industrial automation 
environment, comprising: 

a learning component [[to]] tiiat monitors and learns industrial automation activities 
during a training period; and 

a detection component [[to]] that automatically triggers a security event based upon 
detected deviations of subsequent industrial automation activities after the training period, 
wherein the security event includes automatically installing on e or mor e s e curity compon e nts 
adjusting at least one security parameter associated with the industrial automation environment . 

32. (Currently Amended) The system of claim 3 1 , the industrial automation activities 
include [[s]] at least one of a network activity «id or a device activity. 

33 . (Currently Amended) The system of claim 3 1 , the leaming component including at least 
one of a leaming model aed or a variable 

34. (Currently Amended) The system of claim 3 1 , the industrial automation activities include 
at least one of a number of network requests, a type of network requests, a time of requests, a 
location of requests, status information, «id or counter data. 
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35 . (Currently Amended) The system of claim 3 1 , the detection component employs at least 
one of a threshold «id or a range to determine the deviations. 

36. (Currently Amended) The system of claim 35, the at least one of the threshold m4 or the 
range are dynamically adjustable. 

37. (Currently Amended) The system of claim 33, the learning model includes at least one of 
mathematical models, statistical models, probabilistic models, functions, algorithms, aftd neural 
networks, classifiers, inference models. Hidden Markov Models (HMM), Bayesian models. 
Support Vector Machines (SVM), vector-based models, aad or decision trees. 

38. (Currently Amended) The system of claim 3 1 , the security event further includes at least 
one of automatically performing corrective actions, altering network patterns, adding security 
components, removing security components, adjusting security parameters, firing an alarm, 
notifying an entity, generating an e-mail, interacting with a web site, and or generating security 
data to mitigate network security problems. 

39. (Currently Amended) A security learning method, comprising: 
monitoring a network of industrial controllers for a predetermined time; 
automatically learning at least one data transfer pattem of the network of industrial 

controllers during the predetermined time; aftd 

generating an alarm and altering network activity to adjust a current data transfer pattem 
wh e r e a if the cvirrent data transfer pattem is determined to be outside of a predetermined 
threshold associated with ono or more industry standards . 

40. (Currently Amended) The method of claim 39, fiirther comprising: 

employing the at least one data transfer pattem e mploy e d as input for a security analysis 

process[[.]] ; and 

adjusting at least one security parameter associated with the network of industrial 
controllers based on the security analysis process and the input. 
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41 . (Currently Amended) A security learning system in an automation environment, 
comprising: 

means for scanning a network; 

means for learning access patterns to at least one industrial automation device from the 
network; and 

means for generating a security event where that disables network requests from at least 
one outside network upon determining that the access patterns are d e t e rmin e d to b e out of 
tolerance from with stored access patterns as compared to one or more industry standards . 

42-44. (Cancelled). 

45. (Previously Presented) The tool of claim 1, the analyzer component is adapted for 
partitioned security specification entry and sign-off from various groups. 

46. (Currently Amended) The system of claim 17, the scanner component and the validation 
component are at least one of a host-based component ffiid or a network-based component. 

47. (Currently Amended) The system of claim 2 1 , at least one of tiie host-based component 
aad or the network-based component at least one of determines susceptibility to common 

network-based attacks, searches for open Transmission Control Protocol/User Datagram Protocol 
(TCP/UDP) ports, scans for vulnerable network services, attempts to gain identity information 
about end devices that relates to hacker entry, or performs vulnerability scanning and auditing on 
firewalls, routers, security devices, and factory protocols. 

48. (New) The system of claim 1, the validation component automatically installs one or 
more security components in response to the one or more vulnerabilities. 

49. (New) The system of claim 1, wherein the analyzer component further performs an 
automated action that alters access patterns to the one or more industrial controllers upon 
detecting a deviation from the at least one of shop floor access patterns, Infranet access pattems, 
Internet access pattems, or wireless access pattems in excess of a threshold. 
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50. (New) The system of claim 12, wherein the at least one automated security event 
includes at least disabling network attempts to access the one or more industrial controllers. 
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